If unauthorized source MAC address enters a port, default action is to place interface in 'err-disabled' state. End result is like the interface is shut down.
If port security is enabled on an interface, by default only a single MAC address is allowed:
- The first source MAC address that enters the interface (dynamically learned)
- Or you can configure the MAC address manually
You can change the max number of MAC addresses allowed. For example, when connecting a PC through an IP phone to a switch interface, you need to bump up the max MAC addresses to two to allow both devices to use the interface.
Rather than manually specifying the MAC addresses allowed on each port, port security's ability to limit the number of MACs allowed on an interface is more useful. This helps against DHCP starvation attacks. This also prevents the switch MAC address table from getting filled up.
SW1(config)#int g0/1
SW1(config-if)#switchport port-security
^ This is the simplest command to turn on port security. However, if g0/1 is running switch defaults, the default is to run as a dynamic port. This means the command will be rejected because you cannot run port security on a dynamic port.
Port security can be enabled on access or trunk ports, but they must be statically configured as access or trunk. They cannot be dynamic.
switchport mode access = OK
switchport mode trunk = OKswitchport mode dynamic auto = NOT OKswitchport mode dynamic desirable = NOT OK
Confirm the port is running in dynamic auto mode:
SW1#show int g0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
So we need to flip the port to access mode:
SW1(config-if)#switchport mode access
Confirm switch no longer runs in dynamic access mode:
SW1#show int g0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Now we can enable port security:
SW1(config-if)#switchport port-security
^ Turns on port security on an interface. It will use default port security settings.
SW1#show port-security int g0/1
Port Security: Enabled
Port Status: Secure-up
Violation Mode: Shutdown
Aging Time: 0 mins
Aging Type: Absolute
SecureStatic Address Aging: Disabled
Maximum MAC Addresses: 1
Total MAC Addresses: 0
Configured MAC Addresses: 0
Sticky MAC Addresses: 0
Last Source Address: Vlan: 0000.0000.0000:0
Security Violation Count: 0
Notice:
Violation Mode: Shutdown
^ This means the port will shut down if unauthorized MAC is used.
Possible settings for Violation Mode - notice these are alphabetical in order of enforcement/disruption:
Protect - Switch discards unauthorized traffic, does not shut down the interface, does not log the violation, and does not increment the violation counter.
Restrict - Switch discards unauthorized MAC addresses. Does NOT disable interface but logs the violation. Violation counter is incremented by 1 for each unauthorized frame.
Shutdown - Default - Shuts down port with Err-disabled state and generates a Syslog/SNMP message. Violation counter will be set to 1.
To manually re-enable the interface after a violation has occured:
First disconnect the unauthorized device. Then:
SW1(config)#int g0/1
SW1(config-if)#shutdown
SW1(config-if)#no shut
You can configure the switch to automatically re-enable a port after a period of time. There are many reasons a port can enter an 'ErrDisable' state. Only one of them is 'psecure-violation' (port security violation).
SW1#show errdisable recovery
^ Shows all the possible reasons a port can go into errdisable state, including psecure-violation:
ErrDisableReason Timer Status
psecure-violation Disabled
Disabled = No timer (this is the default)
If "err-disable recovery" is enabled, the default is to re-enable the disabled interface after 5 minutes.
SW1(config)#errdisable recovery cause psecure-violation
^ Enables recovery (will re-enable disabled port for cause "psecure-violation" after 5 minutes.
SW1(config)#errdisable recovery interval 180
^ Drop the timer down to 3 minutes.
You can manually configure the authorized MAC address on a port:
SW1(config-if)#switchport port-security
Recall the default violation mode is Shutdown. You can change this:
SW1(config-if)#switchport port-security
^Turns on port security
SW1(config-if)#switchport port-security mac-address 000a.000a.000a
^Sets the authorized MAC address
SW1(config-if)#switchport port-security violation restrict
^ Changes from default of shutdown to restrict mode.
MAC address aging:
MAC addresses dynamically learned or statically configured on a port security enabled port are called secure MAC addresses. By default, they don't age out. No timer.
You can change that behavior:
switchport port-security aging time <minutes>
^ Changes the age out time for learned addresses.
Aging Type:
switchport port-security aging type {absolute | inactivity}
^ Sets the aging type:
Absolute = Default = After the secure MAC address is learned, the aging timer starts and the MAC is removed after the timer expires even if the switch continues receiving frames from that source MAC.
Inactivity = Like regular MAC address aging, aging timer starts when learned but is reset every time a frame from that source MAC address is received on that interface.
By default, static configured MAC addresses won't age out. You can over-ride this behavior so the switch will age them out just like dynamic addresses:
switchport port-security aging static
Sticky Secure MAC Addresses:
SW1(config-if)#switchport port-security mac-address sticky
^ Dynamically-learned secure MAC addresses will be added to running config like this:
switchport port-security mac-address sticky <mac-addr>
These 'sticky' secure MAC addresses will *never* age out - even if you enable static aging. However, they are added to the running config, not the startup-config. So you will need to save the running-config to make them truly permanent or you will lose them at next switch reboot.
Sticky and static secure MAC addresses will have a type of STATIC in MAC address table.
#show mac address-table secure
^ Displays all secure MAC addresses
[These are my notes from Jeremy's excellent CCNA course which can be viewed here.]
